AD FS 2.0 Design Guide

Updated: April 28, 2011

Applies To: Active Directory Federation Services (AD FS) 2.0

You can use AD FS 2.0 in a federation services provider role to seamlessly authenticate your users to any Web-based services or applications that reside in a resource partner organization, without the need for administrators to create or maintain external trusts or forest trusts between the networks of both organizations and without the need for the users to log on a second time. The process of authenticating to one network while accessing resources in another network—without the burden of repeated logon actions by users—is known as single sign-on (SSO).

For more information about how AD FS 2.0 works and how to set up AD FS 2.0 in a test lab, see the following resources:

You can find additional AD FS 2.0 resource links at the AD FS 2.0 Content Map page on the Microsoft TechNet Wiki. This page is managed by members of the AD FS 2.0 Community and is monitored on a regular basis by the AD FS Product Team.

This guide provides recommendations to help you plan a new deployment of AD FS 2.0, based on the requirements of your organization (also referred to in this guide as deployment goals) and the particular design that you want to create. This guide is intended for use by an infrastructure specialist or system architect. It highlights your main decision points as you plan your AD FS 2.0 deployment. Before you read this guide, you should have a good understanding of how AD FS 2.0 works on a functional level. You should also have a good understanding of the organizational requirements that will be reflected in your AD FS 2.0 design.

This guide describes a set of deployment goals that are based on three primary AD FS 2.0 designs, and it helps you decide the most appropriate design for your environment. You can use these deployment goals to form one of the following comprehensive AD FS 2.0 designs or a custom design that meets the needs of your environment:

Federated Web SSO to support business-to-business (B2B) scenarios and to support collaboration between business units with independent forests

Web SSO to support customer access to applications in business-to-consumer (B2C) scenarios

For each design, you will find guidelines for gathering the required data about your environment. You can then use these guidelines to plan and design your AD FS 2.0 deployment. After you read this guide and finish gathering, documenting, and mapping your organization's requirements, you will have the information necessary to begin deploying AD FS 2.0 using the guidance in the AD FS 2.0 Deployment Guide.